PFsense 2.1 MultiCP and https with Windows Radius Guide

I couldnt find any guide on how to do this so I decided to make one myself and I hope at least someone will be helped by this guide. Enjoy!

Configure PFsense 2.1 RC0 Multiple Captive Portal and https

The purpose of this guide is to teach how to create multiple captive portals for different networks authenticating to the same radius server as well as with vouchers.

Prerequisites

I will be using Virtualbox to create a virtual environment and I will set up one Windows Server 2012(standard or datacenter) with gui, one pfsense 2.1 RC0

You can set this up in pretty much any virtualized environment or you can go physical. It doesn’t really matter as long as you know how to set up the network in your environment. For HTTPS you will need a startSSL account and a domain name or you can setup it up with self-signed certificates.

Also make sure that you have an email account for your domain named postmaster@yourdomain.tld. You could use another email account but there are only a few to choose from. I had the option of hostmaster and webmaster as well. If this is a problem for you and you don’t really know how to do this you can set up your account with outlook.com or Google Apps. There is plenty of guides out there on how to do this for free. I used outlook.com for my testing purposes and Microsoft got some nice documentation on how to do set it up. Keep in mind that you will need to be able to change your DNS settings in order for both of those services to accept mail from and to your domain.

Topology

PFsense Initial Configuration

In the webgui go to the Interfaces menu and setup your interfaces. I will set my networks up with the following information:

For testing purposes I will set up a rule for each of the OPT networks that look like this:

Just change the source network address to the corresponding network you are setting up the rule for.

That concludes the initial configuration.

StartSSL Certificate

You will have to excuse that I don’t have any screenshots for the startssl certificate setup and that’s because I didn’t take any when I initially setup my account. Anyway you go to startssl.com and you can press control panel and press sign-up. Fill in the form and press continue. Continue filling out the forms and follow the instructions on screen. At the end you will get a certificate added to your browser. Save this somewhere safe. Without it you are not going to be able to access your account. There is no username or password, just this certificate that makes you able to login if it’s added to your browsers certificate store. Firefox has its own certificate store and most other browsers uses windows own certificate store. That means if you use Firefox to create your account you will not be able to access your account with any other browser on your computer. To be able to access it using another browser you will have to add your certificate to the Windows certificate store.

During this process you will need to give startssl an email address chosen from a few predefined ones that you can login to and open an email that they will send to you. This is where outlook.com or Google Apps might come in handy if you don’t previously have a mail server setup for your domain.

Once you have successfully created and verified your domain and created your account you can start issuing certificates for your domain. Go to the certificate wizard leaf in the startssl control panel and chose certificate target “Webserver SSL/TLS Certificate”. Press continue and set a key that you remember. Press continue.

• On the next page copy all of the content of the textbox to a text file on your computer. You can use notepad or any other text editor.
• Choose your domain and press continue.
• Type the name you want for your first captive portal page and press continue.
• Press continue again.
• Copy the certificate into a text file just as you did with the private key earlier.
• Once the wizard is done go to the Tool Box leaf and select the “Decrypt Private key” option.
• Copy all of the content you earlier copied to a text file that said Private somewhere in its header into the textbox. Also provide the password you set earlier in the wizard. Decrypt it and copy this new content into a file.

This text that you just decrypted together with the text file containing the certificate header and content will be used when setting up the captive portals with https. Now follow this procedure until you have a certificate for every captive portal you want to create. There is no reason to have a captive portal with http now when you got this far.

In the Tool Box menu in the startssl control panel go to the StarCom CA Certificates link and download the files called StartCom Root CA (PEM encoded) and the Class 1 Intermediate Server CA. Open these files in a text editor.

The contents of these files looks very much like the ones you earlier created through the wizard. Now you will have at least 4 of these weird textiles. One StartCom Root CA, one StartCom Class 1 Intermediate Server CA, one private key and one certificate for your server per server name/captive portal. All these will now be added to the certificate manager in pfsense.

Back in pfsense adding the certs

Alright so now we go back to the web console of pfsense and go to system and chose cert manager.

Press the + on the CAs leaf. Add a descriptive name. This name is local to pfsense and you can use any name you like. I will be using “StartSSL CA” In the Certificate data textbox paste in the content of the StartCom Root CA file that was downloaded earlier. Press save and press the + sign again. This time we will give it a descriptive name of “Start SSL Intermediate” and paste in the content of the corresponding text file. Once this is done it will look something like this:

The StartSSL CA will be self-signed and the Intermediate will list as signed by the StartSSL CA. Now go to the certificates leaf and press the +.

Give the certificate a descriptive name. I prefer to call mine by the server name. Like captiveportal1.mydomain.tld. Then paste in the content from the certificate text file into the Certificate data textbox. Then paste in the content of the Private Key that you earlier decrypted into the private key data textbox and press save.

You will see that it’s listed with “Start SSL Intermediate” as the issuer. Now continue to add one server name for every captive portal that you will be setting up. Just like you had to create a private key/certificate pair for every server at the StartSSL Control Panel.

DNS Forwarder

Now go into services and hit DNS Forwarder. Scroll down till you get to Host Overrides. Here you add the name you used for each certificate you created with the domain that you own. For instance if I have captiveportal.mydomain.tld as my captive portal I set captive portal as the domain name and mydomain.tld as the domain. Then I specify the IP address of the interface on my pfsense box facing the network I want to run the captive portal on. With the topology shown above I might set it up like this if I’m running a captive portal on each of the client networks:

Hostname: captiveportal2
Domain: mydomain.tld
IP: 192.168.2.1

Hostname: captiveportal3
Domain: mydomain.tld
IP: 192.168.3.1

Hostname: captiveportal4
Domain: mydomain.tld
IP: 192.168.4.1

Oh and btw go back to the top and make sure that the “Enable DNS Forwarder” checkbox is set.

DHCP

I will then go into services and hit DHCP Server or DHCP Relay depending on if I have a DHCP server setup already or not. If I have a DHCP server I go to DHCP Relay and specify the interfaces I want to relay. Then I type in the IP address of the DHCP server. If not I can set up DHCP on the pfsense box by going to DHCP Server and entering the range of IP Addresses I want to be handled out. All other settings are fine with the defaults. If you want to know more about DHCP there is plenty of guides on the internet.

Captive Portal

Once that’s done go to services and Captive Portal and press the plus to add a captive portal. The zone name is really the name of the captive portal and can be anything and the description can be anything of your liking as well.

Start by checking the “Enable captive portal” box. Then select the interface you want this particular captive portal to work on right under the enable checkbox.

All the settings down to but not including authentication can be tuned to your liking for your particular environment. I would recommend to at least set an “Idle Timeout” to something like 30 min just to make sure that idle users gets disconnected. At least if you use vouchers so that their time doesn’t just run out. If your users is a bit technically aware you can set the Enable logout popup windows so that they can chose for themselves when to log of the network by pressing the logout button on this popup windows that they will get. However you can run into some problems with this if the browser that the user has is blocking popup or if they are connecting from a tablet or phone and at least one of those criteria is probably going to be true.

I would also set the “After authentication redirect url” to some webpage and maybe use the “Per-user bandwidth restriction” if your bandwidth is somewhat limited. And the last setting I will discuss is the Concurrent user logins which is located a bit higher up on the page. It can be pretty handy if you want users to be able to authenticate on multiple devices. For example if they use both a laptop and a smartphone.

Authentication settings

Alright, I just felt for making a new header here but we are still in the captive portal business. Go down to authentication and set Radius Authentication. Select the MSCHAPv2 protocol and under the “Primary Authentication Source” set the primary radius server IP address. In my case the radius server is located on the 192.168.1.o/24 network so it might have the address 192.168.1.10 for example.

Also you ether set a shared secret here or you can generate a secret key on the radius server later and paste it into this field when that’s done. It doesn’t matter what order you do it as long as the key match both here and on the radius server.

Keep scrolling down to Radius options. Here you set the “Radius NAS IP attribute” to the interface IP of the Pfsense interface facing the network configured for this captive portal. This is not setting the IP address of anything it’s just telling Pfsense to send this information along with all the other information that Pfsense will send to the radius server when checking for an account for a user. It will later help us determine what network/captive portal a user is trying to connect to so that we can allow different active directory groups to authenticate to different captive portals. We are soon done with the captive portal configuration. Just the https stuff left.

HTTPS

This is the easy part of https. Still on the captive portal page scroll down to the https login and check the box “Enable HTTPS login”. Then type the name of the certificate CN that is the same as the name you set up back in StartSSL wizard when creating the certificate. It has to match both the certificate name set there and the name set in the DNS Forwarder or this won’t work. Last piece is to choose the right certificate in the “SSL Certificate” list menu. The name will correspond to the name you set in the cert manager. After that, scroll down and hit save!

Go ahead and setup multiple captive portal with these instructions. Remember to set the Radius NAS IP attribute, set the right interfaces at the top and select the right certificate and write the right name for each captive portal. Oh and check back at the DNS Forwarder page to make sure it’s enabled and correctly configured.

A note about DNS

I didn’t have a problem with this but sometimes you have to add the DNS server address to a bypass list for the clients on the captive portal network. On each captive portal configuration page there is a leaf called “Allowed IP Addresses” you might need to add your DNS server to this list. Try it if your captive portal hangs and won’t show to the client.

Windows NPS

Alright I have installed AD, DNS and NPS on a Windows Server 2012 machine. If you don’t know how to set that up go google it there is a lot of good recourses on the internet. Oh and if I ever write NAP instead of NPS I mean NPS. I just have a bad habit of typing NAP instead of NPS. NAP is really a health check service that is part of NAP…I mean NPS…

The NPS is the Radius server. Go to the metro interface and press Network Policy Server to open the mmc for NPS. Expand “Radius Clients and Servers”

Right click the Radius Clients menu item and hit new. The client giving credentials to pfsense isn’t the client accessing the radius. It’s the pfsense firewall that is. The client just asks the pfsense captive portal to authenticate then the pfsense firewall goes to the radius server and therefore is the radius client.

In this settings dialog that appears type in a friendly name. It could be just “pfsense”. Add the IP address or the DNS name of the pfsense firewall. That’s the IP address facing the radius server. In my case that would be 192.168.1.1.

Then ether select the Manual radio button and write the shared key that you have on your captive portal or generate a key and paste that one in on your captive portal config page in pfsense. Oh and I should mention that this key should be the same for all the captive portals and for this radius server. Press OK and make your face smile as you can see the new pfsense client added in NAP…NPS!!

When that’s done expand the Policies node in the menu and press the network policies node.

This is what will be shown to you. Right click the Network Policies menu item (I say node and menu item to the same thing) and select new. You will create one policy for every captive portal that you need radius authentication for so name them something similar to your captive portals.

Hit next and then add to add a condition. The condition will be tested and must be met in order for the user to be authenticated against this radius server. Here you can be very granular and you can add multiple conditions. This is what I will add for my captive portals:

Under groups I will add User Groups and into that I will add an Active Directory user group that I want to have access through the captive portal. Then I will hit Add again to add another condition. This time I will scroll all the way to the bottom and under Gateway I will find “NAS IPv4 Address” and this value is very important. To this value I will add the IP address I specified in the Radius Option under the configuration for Captive Portal in pfsense. The setting was called “Radius NAS IP attribute” if you don’t remember. So all in all the “Radius NAS IP attribute” setting in the captive portal should match the “NAS IPv4 Address” condition in the Radius server.

When you feel done with the conditions (you can add others like time restrictions if you want) you hit next. On the next page make sure that access is granted, hit next and on the next page make sure that the “Microsoft Encrypted Authentication version 2(MS-CHAP-v2)” is selected. Hit next 3 times and finish.

Make sure that your access rules are on top in the Policy name list by right clocking them and hit “move up” The policies work in such a way that it checks them in order and when it finds a match it will use that rule so if denying rules is before allowing rules you may run into trouble.

On those pages you skipped by pressing next you can surely do some configuration as well if you need to for your setup (just a note).

Anyway that concludes the setup of the radius server. For each captive portal you just match the “Radius NAS IP attribute” of the captive portal with the “NAS IPv4 Address” condition of the radius server and the “Radius NAS IP attribute” in the captive portal should be set to the IP of the interface facing the captive portal client network.

Vouchers

If you want to add vouchers to yet another captive portal you can create a new one and select vouchers as the authentication method and don’t forget all the other stuff like creating another certificate, add it to the cert manager, add the name of the cert to the DNS Forwarder and set the right configurations under the new captive portal.

Then after all that go to the captive portal configuration and hit the “vouchers” leaf. Check the “Enable Vouchers” checkbox and hit save to have a + appear in the Vouchers Rolls configuration area. Hit it and enter a Roll number between 0 and 65535. Add a minutes per ticket value. This value will dictate how long each voucher will be able to keep the owner of the voucher logged in through the captive portal. Enter a count between 1 and 1023. That’s how many vouchers you want. And finally don’t forget to add a description. It can be messy after a while if you don’t. At least add the date that you created the vouchers. Hit save.

Now hit the white “i” in the blue circle to download a csv file with the vouchers. In notepad this file will look really ugly so instead please use something like notepad++.

To enable the users to use vouchers go back to the captive portal leaf and scroll down to the Portal page content setting. In the description of this setting you will find some html. Copy it to an html file and upload it for this setting. Hit save. Now you will have a field for vouchers as well as username and password. Alter the html to make it prettier and more useable for your users. And you can remove ether username/password or voucher if you just want one of the methods for authentication for your captive portal. This can of Corse be done differently on each captive portal.

Oh and by the way, Thanks for reading! And sorry that I didn’t have more pictures!

I didn’t have a problem with this but sometimes you have to add the DNS server address to a bypass list for the clients on the captive portal network. On each captive portal configuration page there is a leaf called “Allowed IP Addresses” you might need to add your DNS server to this list. Try it if your captive portal hangs and won’t show to the client.

At the time of writing I didnt know why I needed to add the DNS server to the bypass list but after reading up on the forum and testing I came to realize that its when you dont use pfsense with DNS Forwarder and point your clients to the pfsense box as the DNS Server that you need to add the DNS server to the bypass IP list.

Another misstake that seems common is that your DHCP lease should be at least as long as your hard timeout(can also be longer) in order to avoid users getting an IP address from the DHCP server that is already approved by the captive portal.

My issue is I am unable to get CP authentication page. When ever a client tries to access [eg: www.google.com]
it never ask for authentication, but I can access my portal page manually [eg: if I enter http://10.20.0.1:8000] & i can do authentication]

Please tell me where exactly went wrong? I am searching a solution for last 1 week & unable to get any clue….

My issue is I am unable to get CP authentication page. When ever a client tries to access [eg: www.google.com]
it never ask for authentication, but I can access my portal page manually [eg: if I enter http://10.20.0.1:8000] & i can do authentication]

Please tell me where exactly went wrong? I am searching a solution for last 1 week & unable to get any clue….

[This issue has been solved by restarting my /quote]</client></pfsense></modem></internet>

Good to hear that your problem was solved. As a general rule when I think I did configure something correct I usualy give it a restart and it usualy solves the problem. If it doesnt its probably a configuration error somewhere. It goes for alot of things in pfsense.

I noticed that pictures no longer show here so I have uploaded a PDF containing the guide. The pdf will only be available on this address till 4th of May though. After that I will post a new address with a new location.